March 2017

March 30, 2017

Last week, Threatpostreported that the second Vault 7 Dark Matter release shows the CIA has an unsurprising interest in tracking iPhone users, as well as having capabilities developing implants and exploits targeting Mac firmware running on MacBooks.

The iPhone attack documentation for the CIA's NightSkies tools describes a beacon dating back to 2008, purpose-built for factory iPhones, indicating the CIA's ability to interdict the Apple supply chain and install this tool.

"Intelligence agencies used to put these beacons in someone's car and track its radio signals. Modern beacons infest iPhones and report over the internet the location of an iPhone and other information from the phone," said WikiLeaks founder, exiled publisher Julian Assange, during a press conference aired over the WikiLeaks Periscope account. "Noteworthy is that NightSkies reached version 1.2 in 2008, indicating that it was in the process of being developed for some time," Assange said. "It is expressly designed to be physically installed on factory-fresh iPhones, not phones that are stolen and then have the malware implanted, but in an iPhone before you get it."

Other information in the dump manifests how the CIA concentrated on developing malware and exploits that would attack the firmware running on Macs and iPhones, specifically EFI and UEFI firmware

I have no doubt that the folks in Cupertino are looking carefully at the security of Apple's supply chain.

March 29, 2017

Warning: This post requires some length by way of background but you'll like the ending . . .

Last week, I read a story from Sophos describing how federal prosecutors are creating a cloud-based database full of personal data extracted from the locked phones of Trump protesters arrested on Inauguration day. The prosecutors want to make the data available to the lawyers of 214 defendants accused of felony rioting but are seeking an order from the court that would prohibit the defense lawyers from copying or sharing the information unless it's relevant to defend their clients.

As you may recall, on the day of the arrests, January 20th, prosecutors claimed that more than 200 protesters marched through the heart of Washington DC, causing more than $100,000 in damage. The protesters shattered store windows, set fire to a limo, and hurled projectiles at police in riot gear, who responded with flash-bang grenades, tear gas and pepper spray.

Police arrested what they said were about 230 people who rioted or incited to riot. Not all of those arrested were protesters: rather, as reputable media reported, sweeping arrests during the inauguration parade indiscriminately targeted rioters, protesters, medics, lawyers and journalists alike.

Police seized the phones of more than 100 of those arrested. Although all of the devices were locked, the government is now in the process of extracting data from the phones and "expects to be in a position to produce all of the data from the searched Rioter Cell Phones in the next several weeks," according to the filing. This is where my BS filter started to kick in.

Police also turned to Facebook to mine data about the protesters: subpoenas for account information were being served on Facebook within a week of the arrests, and one arrestee's Gmail account showed account activity from his or her mobile device while it was in police possession.

The government plans to put each defendant's extracted phone data in a separate folder on a portal called USAfx. Through that portal, every defendant's lawyer will be able to access every other defendant's phone data, including all the personal stuff. The feds have requested a protective order that would keep defense lawyers from copying and disseminating the private phone data from defendants besides their own clients… unless it's relevant to preparing a defense.

The story mentioned the Cellebrite Physical Analyzer as a tool to search a phone's contents. In some, but not all cases, the courts have decided that law enforcement requires reasonable suspicion to use such a tool. In the case of the Trump protesters, government officials said they have search warrants to extract data from the phones.

If encryption precludes using a tool like Cellebrite's, there are partners who can give decryption a try. Forbes cited Mitre Corporation, classified as a Federally Funded Research and Development Center, which is often relied on by government agencies to search mobile devices. As the story notes, the police could have simply forced those arrested to unlock their phones with their fingerprints or convinced them to give over their PINs.

So how could there be 100% certainty of getting the data from the phones? As always with a thorny security question, I queried Dave Ries and John Simek, my frequent cybersecurity co-authors and presenters. Dave found a story from Threatpost which seems to belie the notion that the feds can get into any phone.

The March 8th story talked about FBI director James B. Comey reviving the" Going Dark" discussion during a keynote address at the Boston Conference on Cyber Security, saying it's time for an adult conversation on the prevalence of strong encryption and how it hinders criminal and national security investigations.

Comey said that between October and December of last year, the FBI took possession of 2,800 devices, and there were 1,200 that the bureau could not crack and access stored data.

"There is no absolute right to privacy," Comey said, adding, "with respect to default, strong encryption, it changes that bargain, and shatters it, in my view."

There was never much doubt as to where Comey stood. But the admission that there were 1,200 phones that the FBI could not crack and the rest of his remarks clearly indicate something that our friend Dave reduced to an equation worth remembering by all of us as we seek to protect the private data in our smartphones.

How to defeat the feds? Modern, strong encryption + a current phone + the current OS + all updates installed = a pretty good chance that you will successfully ward off efforts to get to your data.

March 28, 2017

EDRM has released a Security Audit Questionnaire designed primarily to help evaluate the security capabilities of cloud providers and third parties offering electronic discovery or managed services. You can use the questionnaire to assess an organization's strength in protecting data from destruction or unauthorized access, as well as compliance with data-related legislation such as:

Gramm Leach Bliley Act (GLBA)

HIPAA

PCI DSS (Payment card industry)

Sarbanes-Oxley Act

Security breach notification laws

The tool sets out 74 separate criteria under seven categories. Use it to assign the importance or weight of each of the criteria, so that you can emphasize key criteria that are mission-critical; or, downplay the criteria that are less important to your business.

March 27, 2017

At least it is almost true - Data Breach Today reported that New Mexico is set to become the 48th state to enact a data breach notification law, which would leave Alabama and South Dakota as the only states without such a statute. The New Mexico Senate on March 15 passed the Data Breach Notification Act, or HB 15, by a 40-0 vote and sent the bill to Gov. Susana Martinez for her signature. The House approved the bill by a 68-0 margin on February 15.

Martinez is reviewing the legislation and has 20 days from passage to decide whether to approve it. The bill's sponsor, Rep. Bill Rehm, says he believes she will sign the measure.

What took New Mexico so long to enact a data breach notification law? Resistance from some businesses was reportedly a key factor. New Mexico's law, if enacted, would require businesses operating in the state to take reasonable security procedures to safeguard personally identifiable information. Unlike Massachusetts' law, the New Mexico measure is not prescriptive, giving a lot of latitude to businesses to decide how best to protect PII.

The measure also would require organizations to notify the state attorney general if more than 1,000 New Mexicans fell victim to a breach.

Breached organizations must notify individuals "in the most expedient time possible, but not later than 45 days following discovery of the security breach," according to an analysis of bill by the law firm Baker Hostetler. Organizations would be exempt from notification if, after an investigation, it is determined the breach didn't pose a significant risk of identity theft or fraud.

Like notification laws in many other states, organizations would be exempt from complying with the New Mexico statute if they must comply with the Gramm-Leach-Bliley Act that governs financial institutions handling private information or the Health Insurance Portability and Accountability Act that regulates patient information.

The New Mexico measure would require organizations to provide breach victims with advice on how to access personal account statements and credit reports to detect errors resulting from the security breach and also inform them of their rights under the Fair Credit Reporting and Identity Security Act.

Clearly, it is a royal pain to comply with a patchwork of state regulations. To me, a federal law makes much more sense. Of course, no one has asked for my opinion. Efforts to pass a federal law have failed since 2008. In spite of the appeal of the simplicity of having a single law, some consumer advocates have worried that the stronger protections of the Massachusetts and California laws would be watered down in a federal law.

Having watched dismal failure after dismal failure to enact a federal law, I am not holding my breath. One law makes far too much sense to be adopted . . .

March 23, 2017

Some of you may be too young to remember the song "The Secret Service Makes Me Nervous" so I obligingly include a link to the song in the 1962 Broadway production of Mr. President. For some reason, my Swedish grandmother was captivated by the title which she was prone to singing at odd moments.

I thought of her this week when I read the headlines about the Secret Service losing a laptop. Not only a laptop, but one containing sensitive information, including Trump Tower floor plans and evacuation protocol as well as information pertaining to Hillary Clinton's campaign e-mail investigation, according to a CBS story,

Now that's not a laptop you want to lose. And once again, we see why it is not a good idea to leave a laptop in a car, even if it is parked in the driveway of a Secret Service agent's home.

Other sensitive documents that were in the car were also taken, but it's unclear what those documents are.

"The U.S. Secret Service can confirm that an employee was the victim of a criminal act in which our Agency issued laptop computer was stolen," the agency said in a statement last Friday. "Secret Service issued laptops contain multiple layers of security including full disk encryption and are not permitted to contain classified information. An investigation is ongoing and the Secret Service is withholding additional comment until the facts are gathered."

This mystified me. It seemed to me that the data we know that laptop carried would certainly be considered classified information.

It is unclear if the theft was random of if the agent was targeted. CBS reported that the stolen laptop is considered a compromise of national security. Not sure why that would be true if the laptop had full disk encryption. But what do I know? All I know is that the Secret Service makes me nervous.

March 22, 2017

Though hardly recovered from ABA TECHSHOW 2017, I wanted to make sure that RTL readers remember to put a hold on the dates for next year's TECHSHOW in Chicago. Those dates are March 7-10, 2018.

And congratulations to our friends Debbie Foster and Tom Mighell for being named as the co-chairs of ABA TECHSHOW 2018. They are shown here clowning it up a bit as they get the publicity train rolling down the tracks.

Congratulations also go to my husband/business partner John Simek and our good friend Lincoln Mead for being named as the co-vice chairs of ABA TECHSHOW 2018.

March 21, 2017

DarkReadingreported that the 2017 Verizon Data Breach Digest (99 pages) breaks out 16 different attack scenarios and specifies the target, sophistication level, attributes, and attack patterns, along with their times to discovery and containment. The Digest is full of intriguing stories of online misconduct.

In one example, an online gaming company finds its production network hacked - and worse, points of top players were being siphoned off and customers' personal information might have been compromised as well. Network and application logs were quickly parsed and Verizon's RISK team identified 15 systems that process game-point transactions, yet only 14 of them were known to be legitimate resources.

Sure enough, the anomalous system, while valid, had been abandoned for more than a year after an employee left the company. But it remained attached to the network, if dormant, and was an inviting target for hackers who brute-forced it, then loaded it with malware to.

Situations like these, where hidden endpoints that could be anything from systems, user accounts, software, or data, are what Verizon labels "Unknown Unknowns," and are the hardest for organizations to plan for and react to, Verizon says in its latest Data Breach Digest (DBD) report. "We're seeing lots of cases of Unknown Unknowns … detection systems are picking up old and new malware that may be sitting there," said John Grim, senior manager and lead for Verizon's investigative response team. "We then come in and see if it's done any damage or if it's just laying in wait. Sometimes they emerge when we do testing."

The DBD has two objectives: Sketch out the complexity of the most common kinds of attacks, and provide a guidebook for all the individuals affected in the chain of command.

In another DBD scenario dubbed "Mobile Assault – The Secret Squirrel," Verizon outlines the problems faced by a business traveler who may be forced to use sketchy Wi-Fi networks, hand over their laptop or smartphone at security checkpoints or immigration areas, or are required to decrypt their devices completely. There's also the potential for loss, theft, or device tampering in a hotel room; in some instances, specific companies and individual personnel are targeted for the high-value data they carry or are able to access.

The fix for Mobile Assault is very simple. Employees no longer travel with their assigned corporate devices, but instead are given "travel" smartphones and laptops, and after every trip, these devices are wiped clean and rebuilt. "From a forensic examination standpoint, having this known baseline image to compare against drastically reduces analysis time and helps [the organization] focus on potential problems rather than background noise," Verizon says in the new DBD report.

The report also deconstructs the complexity of breaches from a human standpoint and a stakeholder perspective, Grim told Dark Reading. It's no longer enough to tell companies and end-user organizations, "This is the malware, and this is how you fix it," Grim added. "HR and legal need to be involved too if it's an inside threat or involves employee records." Grim was quick to emphasize that the DBD report isn't just for IT staff or InfoSec professionals. Human resources professionals can query the report for HR issues, or HR in a specific industry sector. Incident responders can also query by industry, Grim said.

The DBD uses data derived from the Verizon's more comprehensive Data Breach Investigation Report. This is the second year Verizon has released the digest.

Verizon also offers a five-point incident response plan for organizations that have discovered any kind of data breach:

Preserve evidence; consider consequences of every action taken once the breach has been discovered.

Be flexible; adapt to evolving situations.

Establish consistent methods for communication.

Know the limits of your own expertise; collaborate with other key stakeholders.

March 20, 2017

The New York Timesreported on March 15th that the Justice Department had charged two Russian intelligence officers on March 15th with directing a sweeping criminal conspiracy that stole data from 500 million Yahoo accounts in 2014.

The Russian government used the information obtained by the intelligence officers and two other men to spy on a range of targets, from White House and military officials to executives at banks, two American cloud computing companies, an airline and a gambling regulator in Nevada, according to an indictment. The stolen data was also used to spy on Russian government officials and business executives, federal prosecutors said.

Well, that sure cuts a wide swath.

Russians have been accused of other cyberattacks on the United States — most notably the theft of emails last year from the Democratic National Committee. But the Yahoo case is the first time that federal prosecutors have brought cybercrime charges against Russian intelligence officials, according to the Justice Department.

American investigators are particularly aghast that the two Russian intelligence agents they say directed the scheme, Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin, worked for an arm of Russia's Federal Security Service, or F.S.B., that is supposed to help foreign intelligence agencies catch cybercriminals. Instead, the officials helped the hackers avoid detection.

The two other men named in the indictment include a Russian hacker already indicted in connection with three other computer network intrusions and a Kazakh national living in Canada. One of the hackers also conducted an extensive spamming operation, stole credit and gift card information, and diverted Yahoo users looking for erectile dysfunction drugs to a particular pharmacy. Getting a kickback, I suppose.

Karim Baratov is the only one of the accused hackers who has been arrested in connection with the case. He was captured by the authorities in Canada on March 14th. The chances of the United States taking the other three into custody any time soon appear slim to none, especially because the United States has no extradition treaty with Russia.

The fourth person involved in the scheme, a Russian named Alexsey Belan, had been indicted twice before for three intrusions into American e-commerce companies. At one point, he was arrested in Europe, but he escaped to Russia before he could be extradited. Prosecutors said they had repeatedly asked the Russian government to hand over Mr. Belan but had gotten no response.

Yahoo disclosed the theft of its data in September and said it was working with the law enforcement authorities to trace the perpetrators. The hackers were able to use the stolen information, which included personal data as well as encrypted passwords, to create a tool that gave them access to 32 million accounts over a period of two years.

In a statement on March 15th, Yahoo thanked the FBI and the Justice Department for their work.

It remains unclear why Yahoo users were not informed about the hack during the two-year investigation. An internal investigation by the company's board found that some senior executives and information security personnel were aware of the breach shortly after it occurred but "failed to properly comprehend or investigate" the situation. Two weeks ago, the company's top lawyer, Ronald S. Bell, resigned over the episode, and its chief executive, Marissa Mayer, lost her 2016 bonus and 2017 stock compensation.

We are, in case anyone has failed to notice, in a cyberwar with Russia.

March 16, 2017

The flurry of Presidential tweets about New York offices in Trump Tower being tapped by the Obama administration has been headline news for a while. While the claim has not yet been substantiated, The Hill explains that intelligence agencies might have been listening in even without a warrant from a federal court.

"Backdoor searches" are permitted of communications involving non-U.S. citizens. Someone under surveillance may be speaking with an American citizen whose conversation is then captured as well – with no warrant required.

If Trump or members of his team were speaking with a non-U.S. citizen who was being investigated for spying during the election process, then it might be the case that those conversations were recorded and disseminated throughout the intelligence community.

While the practice is controversial, with privacy advocates arguing a warrant should be required, the intelligence agency's operations are legal and widespread – and likely the basis for President Trump's claim that Obama "wiretapped" Trump Tower.

As The Hill explains, ever since reforms in the 1970s after the Watergate scandal, the president does not have the legal authority to directly order a wiretap.

There are two methods by which intelligence agencies currently could eavesdrop – without a warrant – on the communications of a citizen, including Donald Trump. The Foreign Intelligence Surveillance Act (FISA) permits spying on foreigners within U.S. borders. While it is also permitted to spy on a U.S. citizen under this ruling, Justice Department officials would need to demonstrate to the court that the subject of the surveillance was acting as an agent of a foreign entity.

While James Clapper, former director of national intelligence, testified this past weekend that there was not a FISA warrant in place on Trump or his team, other reports hint at the possibility that courts did allow the FBI to keep tabs on two Russian banks. So, should any of Trumps partners have had dealings with the targets of the FBI's investigation, those details would have been gathered legally and shared among the intelligence agencies.

Another less common legal proceeding, known as 12333, or "twelve triple-three," manages U.S. intelligence-gathering offshore. It authorizes the attorney general to permit searches "of communications to or from an American for the purposes of targeting that American – again, as long as the attorney general determines that person is an agent of a foreign power," according to The Hill.

The National Security Agency can upload that intercepted intelligence to an online repository through which other intelligence agencies can search.

The consensus among surveillance experts is that the most likely explanation for Trump's claim is that his communications were captured by the intelligence agencies working legally through a FISA court order. That assumes that the surveillance actually happened of course. In a topsy-turvy world of facts and alternative facts, it is hard to tell reality from fiction.

March 15, 2017

There's been so much to blog about that I ended up holding on to a story from SC Magazine that is worth reading. New York's cybersecurity regulations became effective on March 1st – these are the country's first state-mandated cybersecurity regulations regarding banking and financial services.

The regulation adapts industry best practices – such as guidelines issued by the Securities and Exchange Commission and Financial Industry Regulatory Authority (FINRA) – and contains 23 sections calling for such things as encryption of data of all non-public information, appointing a CISO, employee training in security, enhanced multifactor authentication and the yearly submission by a senior officer of a certification affirming that the company is in compliance with the regulation's requirements.

Key elements of New York State's cybersecurity regulation include:

Establishment of a cybersecurity program

Adoption of a written cybersecurity policy

Mandatory chief information security officer

Cybersecurity training for employees

Third-party service providers risk

Incident monitoring and reporting

Information security audits

Under the new regulations, banks are now required to scrutinize their suppliers, and to report on breaches that affect them, Balázs Scheidler, CTO and co-founder of Balabit, told SC Media.

I am not sure how much of New York's new law is different from current federal regulations – colleagues have told me there isn't much here that isn't in the federal laws and regulations. Nonetheless, it will be interesting to see if other states move to enact similar laws.

Sensei Enterprises, Inc.

3975 University Drive
Suite 225
Fairfax, VA 22030
703.359.0700

Disclaimer

This blog is intended to impart general information and does not offer specific legal advice. Use of this blog does not create an attorney-client relationship. If you require legal advice, consult an attorney.